Amazon Cognito | Federate identities and provide secure access to AWS resources Flashcards
How can I migrate my existing users into an Amazon Cognito user pool?
Federate identities and provide secure access to AWS resources
Amazon Cognito | Security, Identity & Compliance
You can use our import tool to migrate your existing users into an Amazon Cognito user pool. User attribute values are imported from a .csv file, which can be uploaded through the console, our APIs, or CLI. When imported users first sign in, they confirm their account and create a new password with a code sent to their email address or phone. There is no additional cost for using the import tool. To learn more, see the import tool documentation.
The import tool does not migrate passwords. If you want to retain your users’ current passwords, you might consider an alternative approach to migrate users one at a time as they sign-in to your app during a transition period. With this approach, your app first tries to sign-in the user with your Cognito user pool. If that user doesn’t exist in the user pool, your app will sign the user in with your existing identity system and temporarily retain the username and password used to do so. After a user successfully signs in with your existing identity system, your app would then use the same username and password to create the user in your Cognito user pool. This approach requires maintaining your existing identity system during the transition period, but after the transition period ends, you can use our import tool to import the remaining users (without their passwords).
Can I use Cognito Identity to federate identities and secure access to AWS resources?
Federate identities and provide secure access to AWS resources
Amazon Cognito | Security, Identity & Compliance
Yes, Cognito Identity enables you to authenticate users through an external identity provider and provides temporary security credentials to access your app’s backend resources in AWS or any service behind Amazon API Gateway. Amazon Cognito works with external identity providers that support SAML or OpenID Connect, social identity providers (such as Facebook, Twitter, Amazon) and you can also integrate your own identity provider.
Which public identity providers can I use with Amazon Cognito Identity?
Federate identities and provide secure access to AWS resources
Amazon Cognito | Security, Identity & Compliance
You can use Amazon, Facebook, Twitter, Digits, Google and any other OpenID Connect compatible identity provider.
What is an Identity Pool?
Federate identities and provide secure access to AWS resources
Amazon Cognito | Security, Identity & Compliance
Identity pools are the containers that Cognito Identity uses to keep your apps’ federated identities organized. Identity Pool associates federated identities from social identity providers with a unique user specific identifier. Identity Pools do not store any user profiles. An identity pool can be associated with one or many apps. If you use two different identity pools for two apps then the same end user will have a different unique identifier in each Identity Pool.
How does the login flow work with public identity providers?
Federate identities and provide secure access to AWS resources
Amazon Cognito | Security, Identity & Compliance
Your mobile app authenticates with an Identity Provider (IdP) using the provider’s SDK. Once the end user is authenticated with the IdP, the OAuth or OpenID Connect token or the SAML assertion returned from the IdP is passed by your app to Cognito Identity, which returns a new Cognito ID for the user and a set of temporary, limited-privilege AWS credentials.
Can I register and authenticate my own users?
Federate identities and provide secure access to AWS resources
Amazon Cognito | Security, Identity & Compliance
Cognito Identity can integrate with your existing authentication system. With a simple API call you can retrieve a Cognito ID for your end users based on your own unique identifier for your users. Once you have retrieved the Cognito ID and OpenID Token Cognito Identity provides, you can use the Cognito Identity client SDK to access AWS resources and synchronize user data. Cognito Identity is a fully managed identity provider to make it easier for you to implement user sign-up and sign-in for your mobile and web apps.
How does Cognito Identity help me control permissions and access AWS services securely?
Federate identities and provide secure access to AWS resources
Amazon Cognito | Security, Identity & Compliance
Cognito Identity assigns your users a set of temporary, limited privilege credentials to access your AWS resources so you do not have to use your AWS account credentials. The permissions for each user are controlled through AWS IAM roles that you create. You can define rules to choose the IAM role for each user, or if you are using groups in a Cognito user pool, you can assign IAM roles based on groups. Cognito Identity also allows you to define a separate IAM role with limited permissions for guest users who are not authenticated. In addition, you can use the unique identifier that Cognito generates for your users to control access to specific resources. For example you can create a policy for an S3 bucket that only allows each user access to their own folder within the bucket.
When using public identity providers, does Amazon Cognito Identity store users’ credentials?
Federate identities and provide secure access to AWS resources
Amazon Cognito | Security, Identity & Compliance
No, your app communicates directly with the supported public identity provider (Amazon, Facebook, Twitter, Digits, Google, or an Open ID Connect-compliant provider) to authenticate users. Cognito Identity does not receive or store user credentials. Cognito Identity uses the token from the identity provider to obtain a unique identifier for the user and then hashes it using a one-way hash so that the same user can be recognized again in the future without storing the actual user identifier.
Does Cognito Identity receive or store confidential information about my users from the identity providers?
Federate identities and provide secure access to AWS resources
Amazon Cognito | Security, Identity & Compliance
No. Cognito Identity does not receive any confidential information (such as email address, friends list, etc.) from the identity providers.
Do I still need my own backend authentication systems with Cognito Identity?
Federate identities and provide secure access to AWS resources
Amazon Cognito | Security, Identity & Compliance
No. Cognito Identity supports login through Amazon, Facebook, Twitter, Digits, and Google, as well as providing support for unauthenticated users. With Cognito Identity you can support federated authentication, profile data sync store and AWS access token distribution without writing any backend code.
What if I don’t want to force my users to log in?
Federate identities and provide secure access to AWS resources
Amazon Cognito | Security, Identity & Compliance
Cognito Identity supports the creation and token vending process for unauthenticated users as well as authenticated users. This removes the friction of an additional login screen in your app, but still enables you to use temporary, limited privilege credentials to access AWS resources.
What are unauthenticated users?
Federate identities and provide secure access to AWS resources
Amazon Cognito | Security, Identity & Compliance
Unauthenticated users are users who do not authenticate with any identity provider, but instead access your app as a guest. You can define a separate IAM role for these users to provide limited permissions to access your backend resources.
Does Cognito Identity support separate identities for different users on the same device?
Federate identities and provide secure access to AWS resources
Amazon Cognito | Security, Identity & Compliance
Yes. Cognito Identity supports separate identities on a single device, such as a family iPad. Each identity is treated separately and you have complete control over how your app logs users in and out and how local and remote app data is stored.
How do I store data associated with Cognito Identity?
Federate identities and provide secure access to AWS resources
Amazon Cognito | Security, Identity & Compliance
You can programmatically create a data set associated with Cognito Identity and start saving data in the form of key/value pairs. The data is stored both locally on the device and in the Cognito sync store. Cognito can also sync this data across all of the end user’s devices.
